ASP Session <session>


The <session> element of the <asp> element specifies the Active Server Pages (ASP) session state settings. Session state is a means by which Internet Information Services (IIS) 7 stores information about each unique client session. For example, if your Web site has a shopping cart application, the contents of each client's shopping cart can be stored in session state.

You must have memory resources on the server to preserve ASP session state, and the amount of memory that is required varies depending on the amount of information that you are storing in each session. To help regulate the resources that IIS 7 will use, you can specify the settings for session state. For example, the max attribute specifies the maximum number of sessions to store, and the timeout attribute specifies the duration of each ASP session.

If your applications do not require session state, setting the allowSessionState attribute to false will disable ASP session state.


Version Notes
IIS 7.5 The <session> element was not modified in IIS 7.5.
IIS 7.0 The <session> element of the <asp> element was introduced in IIS 7.0.
IIS 6.0 The <session> element replaces the following IIS 6.0 metabase properties:
  • AspAllowSessionState
  • AspKeepSessionIDSecure
  • AspSessionMax
  • AspSessionTimeout


To support and configure ASP applications on your Web server, you must install the ASP module. To install the ASP module, use the following steps.

Windows Server 2008 or Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, select ASP.

  5. If the Add role services required by ASP dialog box appears, click Add Required Role Services. (This page appears only if you have not already installed the ISAPI Extensions role service on your server.)

  6. On the Select Role Services page, click Next.
  7. On the Confirm Installation Selections page, click Install.
  8. On the Results page, click Close.

Windows Vista or Windows 7

  1. On the taskbar, click Start, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
  3. Expand Internet Information Services, then World Wide Web Services, then Application Development Features.
  4. Select ASP, and then click OK.

How To

How to configure ASP session state settings for a site or application

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, expand the server name, expand Sites, and then navigate to the Web site or Web application that you want to configure.
  3. In the site or application Home pane, double-click ASP.

  4. In the ASP pane, expand the Session Properties section and configure your desired settings.

  5. Click Apply in the Actions pane.



Attribute Description
allowSessionState Optional Boolean attribute.

Specifies whether session state persistence for an ASP application is enabled.

The default value is true.
keepSessionIdSecure Optional Boolean attribute.

Specifies whether a session ID is sent as a secure cookie if assigned over a secure session channel.

The default value is true.
max Optional uint attribute.

Specifies the maximum number of concurrent sessions.

The default value is 4294967295.
timeout Optional timeSpan attribute.

Specifies the maximum period of time (hh:mm:ss) that a session object is maintained after the last request associated with the object is made.

The default value is 00:20:00.

Child Elements


Configuration Sample

The following configuration sample enables ASP session state, sets the maximum number of ASP sessions to 1000, and sets the session time-out to 10 minutes for the Default Web Site.

<location path="Default Web Site">
         <session allowSessionState="true" max="1000" timeout="00:10:00" />

Sample Code

The following code samples enable ASP session state, sets the maximum number of ASP sessions to 1000, and sets the session time-out to 10 minutes for the Default Web Site.


appcmd.exe set config "Default Web Site" -section:system.webServer/asp /session.allowSessionState:"True" /commit:apphost
appcmd.exe set config "Default Web Site" -section:system.webServer/asp /session.max:"1000" /commit:apphost
appcmd.exe set config "Default Web Site" -section:system.webServer/asp /session.timeout:"00:10:00" /commit:apphost

Note: You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.


using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
   private static void Main()
      using (ServerManager serverManager = new ServerManager())
         Configuration config = serverManager.GetApplicationHostConfiguration();
         ConfigurationSection aspSection = config.GetSection("system.webServer/asp", "Default Web Site");

         ConfigurationElement sessionElement = aspSection.GetChildElement("session");
         sessionElement["allowSessionState"] = true;
         sessionElement["max"] = 1000;
         sessionElement["timeout"] = TimeSpan.Parse("00:10:00");



Imports System
Imports System.Text
Imports Microsoft.Web.Administration

Module Sample

   Sub Main()
      Dim serverManager As ServerManager = New ServerManager
      Dim config As Configuration = serverManager.GetApplicationHostConfiguration
      Dim aspSection As ConfigurationSection = config.GetSection("system.webServer/asp", "Default Web Site")

      Dim sessionElement As ConfigurationElement = aspSection.GetChildElement("session")
      sessionElement("allowSessionState") = True
      sessionElement("max") = 1000
      sessionElement("timeout") = TimeSpan.Parse("00:10:00")

   End Sub

End Module


var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";
var aspSection = adminManager.GetAdminSection("system.webServer/asp", "MACHINE/WEBROOT/APPHOST/Default Web Site");

var sessionElement = aspSection.ChildElements.Item("session");
sessionElement.Properties.Item("allowSessionState").Value = true;
sessionElement.Properties.Item("max").Value = 1000;
sessionElement.Properties.Item("timeout").Value = "00:10:00";



Set adminManager = WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set aspSection = adminManager.GetAdminSection("system.webServer/asp", "MACHINE/WEBROOT/APPHOST/Default Web Site")

Set sessionElement = aspSection.ChildElements.Item("session")
sessionElement.Properties.Item("allowSessionState").Value = True
sessionElement.Properties.Item("max").Value = 1000
sessionElement.Properties.Item("timeout").Value = "00:10:00"

Deprecated Elements